Advanced Techniques in Forensic Examination of Smartphones

Document Sample
Advanced Techniques in Forensic Examination of Smartphones Powered By Docstoc
					              Advanced
             Techniques in
               Forensic
            Examination of
             Smartphones
                                  2010
(C) Oxygen Software, 2000-2010
 http://www.oxygen-forensic.com
        Smartphones market growth




                           Data provided by FutureSource Consulting


Smartphones market is growing even while general mobile phones market falling

                              (C) Oxygen Software, 2000-2010
                               http://www.oxygen-forensic.com
Smartphone is a small PC
                                    Cell phone

                                  Address book

                             Planner & Organizer

                                    Messenger

                           Photo & Video camera

                                 GPS navigator

                                    Web client

                        Platform for 3rd party apps


       (C) Oxygen Software, 2000-2010
       http://www.oxygen-forensic.com
    Smartphone as: Cell phone
                           • IMEI
Basic Information          • Hardware & Software revision
                           • Network information



                           • Incoming, outgoing, missed calls history
   Event log               • Sent & received messages history
                           • GPRS & Wi-Fi sessions log



                           • IMSI
    SIM card               • Phone numbers*
                           • SMS messages*


     * - Usually these features are not utilized by smartphones
                        (C) Oxygen Software, 2000-2010
                        http://www.oxygen-forensic.com
Smartphone as: Address book
                    • Name fields: first, middle, last, nickname,
                      prefix, suffix, joint name
                    • Photo and personal ringing tone
                    • Phone numbers: general, mobile, fax, video,
                      pager, VoIP, push-to-talk
                    • Postal addresses
  Contacts          • Web pages and e-mail addresses
information         • Company, department, job title
                    • Text notes
                    • Private info: birthday, spouse, children
                    • Custom field labels
                    • Multiple fields of the same type
                    • Last modification date & time



Caller groups       • List of caller groups & belonging contacts


Speed dials         • List of assigned speed dials
                (C) Oxygen Software, 2000-2010
                http://www.oxygen-forensic.com
     Smartphone as: Planner
                     • Meetings, reminders and anniversaries
                     • Start date & time
                     • Finish date & time
Calendar events      • Alarm date & time
                     • Recurrence
                     • Last modification date & time


                     • Task description
                     • Deadline
    Tasks            • Priority
                     • Alarm date & time
                     • Completion date & time


    Notes            • Note text & date

                  (C) Oxygen Software, 2000-2010
                  http://www.oxygen-forensic.com
Smartphone as: Messenger

               • Text messages (SMS)
               • Multimedia messages (MMS)
               • E-mail messages with attached files
               • BIO messages: vCard, vCal,
                 configuration and others
               • Beamed messages: files sent via
Messaging        Bluetooth, IR or USB
 system        • Standard message folders
               • Custom message folders
               • Date & time
               • Service center timestamp
               • Information about deleted SMS
                 messages



            (C) Oxygen Software, 2000-2010
            http://www.oxygen-forensic.com
    Smartphone as: GPS navigator
                                  • Last fixed GPS coordinates
                                  • Search history
                                  • Routes history
    GPS Navigator                 • Last displayed map
                                  • Saved maps
                                  • List of favorite places


                                  • GPS coordinates in camera snapshots*
                                  • Cell coordinates in camera snapshots*
   Location tagger                • Cell coordinates for camera snapshots**
                                  • Cell coordinates for video records**
                                  • Cell coordinates for SMS messages**


* - Available in EXIF header for many new models
** - Available in smartphones with Nokia LifeBlog application installed
                               (C) Oxygen Software, 2000-2010
                               http://www.oxygen-forensic.com
         Smartphone as: Web client
                                    • Web cache files
                                    • Bookmarks
                                    • Pages view history
     Web browser                    • Last opened URLs
                                    • Search history
                                    • Cookies



                                    • IP, Login (UID, e-mail) and password*
                                    • Contacts list
        IM client                   • Chat history
                                    • Calls history



* - Available for some IM clients

                                (C) Oxygen Software, 2000-2010
                                http://www.oxygen-forensic.com
         Smartphone as: PC
                    • Camera snapshots
                    • Video clips
                    • Voice records
 Operating          • Sounds and Podcasts
System apps         • Wi-Fi networks list
                    • Paired Bluetooth devices list
                    • Activated SIM cards list
                    • VPN profiles



                    • List of installed applications
3rd party apps      • Office documents
                    • Application logs & data files



                 (C) Oxygen Software, 2000-2010
                 http://www.oxygen-forensic.com
       Standard extraction methods
There are 2 standard ways to get forensic information from smartphones: logical and
                                 physical analysis


              Logical analysis
             • Data extracted using common PC-to-mobile
               communication protocols: AT, OBEX, SyncML
             • Smartphone connected to PC with a standard
               cable (or Bluetooth/IR adapter)

              Physical analysis
             • Data extracted using direct memory reading
               (hex dump)
             • Smartphone (or its memory chip only)
               connected to special hardware


                              (C) Oxygen Software, 2000-2010
                              http://www.oxygen-forensic.com
        Logical analysis for smartphones
                                                                                            Caller groups
                                                                                          Custom field labels
                             • General phone information                                   General phone
          AT+                • Contacts (simple), calls*, SMS, settings*                     Speed dials
                                                                                            information
                                                                                           Messages from
                                                                                             Contacts*
                                                                                           custom folders
                                                                                              Calendar
                                                                                              Event log
     Nokia FBUS              • General phone information
                                                                                          Deleted messages
                                                                                                Notes
                                                                                             information
                                                                                            Calls history
                             • General phone information
                                                                                            Service center
         OBEX                • Files*                                                        Messages*
                                                                                             timestamps
                                                                                           GPS information
                                                                                               Files*
                                                                                         Location tagged data
                             • General phone information                                      Settings*
        SyncML               • Contacts, calendar, notes, settings*, bookmarks,           Web browser data
                               messages*                                                     Bookmarks
                                                                                            IM client data
                                                                                            3rd party apps
* - Available data set is restricted and depends highly on manufacturer implementation

1) The information extracted by all logical protocols is only the top of the iceberg
2) All logical protocols were developed for data synchronization
                                             (C) Oxygen Software, 2000-2010
                                             http://www.oxygen-forensic.com
Physical analysis for smartphones




                                            How to deal with
                                              gigabytes of
                                                 that?

           (C) Oxygen Software, 2000-2010
           http://www.oxygen-forensic.com
Standard extraction methods: Summary

   Logical analysis                                       Physical analysis


   Few information can be                                  All information can be
          extracted                                                extracted



       Easy to perform                                        Hard to perform



       Easy to analyze                                      Very hard to analyze



    Affordable software, no                                 Expensive software,
   special hardware needed                                special hardware needed



                         (C) Oxygen Software, 2000-2010
                         http://www.oxygen-forensic.com
How to extract data without a headache?
     In 2002 Oxygen Software invented the 3rd way - analysis using a special agent
                      application working inside smartphone OS




 * - Agent can extract all the information available for native OS applications

                                            (C) Oxygen Software, 2000-2010
                                            http://www.oxygen-forensic.com
               Agent application usage
General phone information & SIM card data
Contacts with all fields and custom field labels
Caller groups & Speed dials
Event Log
Calendar events
Tasks & Notes
Messages from standard and custom folders                      - Protected operating
Deleted messages information                                        system files
Service center timestamp                                         - Memory dump
Camera snapshots, video clips and voice records
File system
GPS & Location tagged information
Web browser cache & bookmarks
IM clients data
3rd party applications with their information


                               (C) Oxygen Software, 2000-2010
                               http://www.oxygen-forensic.com
           Afraid of writing to device?
Comparison of phone content changes when performing analysis using
                       different approaches




* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)
** - Agent does not generate any log files


Unlike Agent, SyncML server is not a forensically designed app and is out of full
control from examiner. In addition - it makes more data modifications than Agent.

                                        (C) Oxygen Software, 2000-2010
                                        http://www.oxygen-forensic.com
                                  Summary
Smartphones is a considerable part of mobile device market
FutureSource Consulting forecasts that, between 2008 and 2013, annual sales of
smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile
phones, up from 13% in 2008.

Smartphones store much more important forensic information than plain cell
phones
Being a multiple-in-one device and having OS with open API smartphones are turning into
small PCs with big memory sizes, wide set of preinstalled applications and huge number of
available 3rd party applications.

Standard extraction methods are less effective for smartphones
All logical protocols were developed for sync purposes, thus they can only extract a top of
the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.

Agent application usage is the golden mean
The Agent application approach, introduced by Oxygen Software in 2002, almost achieves
the completeness of data extracted by physical methods. At the same time it works via
standard cables and adaptors and allows to present the extracted data in readable and
user-friendly format that is more peculiar to logical analysis.

                                  (C) Oxygen Software, 2000-2010
                                  http://www.oxygen-forensic.com
  Interested in more details?

                           Oxygen Forensic Suite 2010
                           www.oxygen-forensic.com

                           Oxygen Forensics for iPhone
                           www.iphone-forensics.com

                           +44 (0) 20 8133 8450 (UK)
                            +1 877 9-OXYGEN (USA)
£499    Standard
                      Oxygen Forensic Suite and Oxygen Forensic Suite 2010 a the trademarks of
                                                  Oxygen Software.
                       Oxygen Software LLC was founded in year 2000 and since that time our
£899   Professional
                                     business is a PC-to-mobile communication.


                      (C) Oxygen Software, 2000-2010
                      http://www.oxygen-forensic.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:3/10/2012
language:
pages:19